1. What are some examples of security goals that you may have for an organization? Check all that apply.
- To protect customer data from unauthorized access
- To prevent unauthorized access to customer credentials
- To implement a strong password policy
- To deploy an Intrusion Prevention System
2. Which of these would you consider high-value targets for a potential attacker? Check all that apply.
- Authentication databases
- Customer credit card information
- Logging server
- Networked printers
3. What’s the purpose of a vulnerability scanner?
- It protects your network from malware.
- It blocks malicious traffic from entering your network.
- It detects vulnerabilities on your network and systems.
- It fixes vulnerabilities on systems.
4. What are some restrictions that should apply to sensitive and confidential data? Check all that apply.
- It can be transferred via email.
- It can be accessed and stored on personal devices.
- It can be accessed and stored on personal devices.
- It can be stored on encrypted media only.
5. What’s a privacy policy designed to guard against?
- Eavesdropping on communications
- Misuse or abuse of sensitive data
- Attackers stealing customer data
- Denial-of-service attacks
6. Which of the following are actions and/or steps that can be taken to avoid leaks and disclosures when handling sensitive data?
- Giving the employees the right tools to get their work done without compromising security.
- Understanding what employees need to do to accomplish their jobs.
- Giving unrestricted access to the employees handling sensitive data
- Allowing employees to write their passwords on a post-it note
7. When evaluating the services of a vendor company, which of the following can be used to assess their security capabilities? Check all that apply.
- Ask the vendor to complete a questionnaire
- Assume that they’re using industry-standard solutions
- Request full access to the vendor systems to perform an assessment
- Ask them to provide any penetration testing or security assessment reports
8. What is the goal of mandatory IT security training for an organization? Check all that apply.
- To punish employees with poor security practices
- To educate employees on how to stay secure
- To build a culture that prioritizes security
- To avoid the need for a security team
9. Which of the following are necessary in the organization to create a culture that makes security a priority? Select all that apply.
- Reinforce and reward behaviors that boost the security of the organization
- A working environment that encourages people to speak up.
- Punish employees every time they make poor security practices
- Designated communication channels
10. A long and complex password requirement is designed to protect against _________.
- lazy users
- employees memory lost
- brute force attacks
- password reuse
11. In order to properly handle a security incident, what is the first thing that needs to happen?
- Recover from the incident
- Remove or eradicate the incident
- Contain the incident
- Detect the incident
12. After a security incident, how can an organization be protected against a similar incident occurring again in the future?
- Update antivirus definitions.
- Cross your fingers and hope for the best!
- Change all account passwords.
- Conduct a post-incident analysis.
13. In order to preserve the integrity of any forensic evidence, what should be done before analyzing a hard drive that has been compromised by a security attack?
- Install an antivirus software
- Format the hard drive
- Make a virtual copy or an image of the hard drive
- Connect the hard drive to a computer
14. Which of the following are protection that can be used on mobile devices?
- Screen lock
- Use the device settings to allow or deny apps access to the devices features
- Always have bluetooth on
- Storage encryption
15. In order to prevent further damage, the breach should be ________.
- contained
- recovered
- audited
- ignored
16. In the Payment Card Industry Data Security Standard (PCI DSS), which of these goals would benefit from encrypted data transmission?
- Implementing strong access control measures
- Maintaining a vulnerability management program
- Monitoring and testing networks regularly
- Protecting cardholder data
17. What tools can be used to discover vulnerabilities or dangerous misconfigurations in systems and networks?
- Vulnerability scanners
- Bastion hosts
- Firewalls
- Antimalware software
18. _____ is the practice of attempting to break into a system or network for the purpose of verifying the systems in place.
- Network probing
- Penetration testing
- Security assessment
- Vulnerability scanning
19. Which of the following should be part of an access data request? Select all that apply.
- Specify exact data needed
- Provide justification
- Time limit
- A second signature
20. Which of the following is recommended to secure authentication?
- Password rotation
- Strong encryption
- 2-factor authentication
- Vulnerability scanning
21. When thinking about credential theft, what is one of the greatest workplace cybersecurity risks?
- Keylogging
- Credential stealing text messages
- Phishing emails
- Blackmail
22. Which of the following actions should be included when conducting a vendor risk review? Select all that apply.
- Ask the vendor for a cost comparison
- Talk to the vendor’s employees
- Ask the vendor to fill out a security questionnaire
- Test the vendor’s hardware or software
23. What are some things that are generally included on a third party security assessment report? Select all that apply
- User reviews
- Third party security audit results
- Penetration testing results
- Customer feedback scores
24. Management wants to build a culture where employees keep security in mind. Employees should be able to access information freely and provide feedback or suggestions without worry. Which of these are great ideas for this type of culture? Select all that apply.
- Designated mailing list
- Posters promoting good security behavior
- Desktop monitoring software
- Bring your own device
25. Once the scope of the incident is determined, the next step would be _____.
- escalation
- containment
- documentation
- remediation
26. In the Payment Card Industry Data Security Standard (PCI DSS), what are the requirements for the “regularly monitor and test networks” objective? Select all that apply
- Develop and maintain secure systems and applications
- Regularly test security systems and processes
- Track and monitor all access to network resources and cardholder data
- Encrypt the transmission of cardholder data across open public networks
27. What characteristics are used to assess the severity of found vulnerabilities? Select all that apply.
- Remotely exploitable or not
- Use of encryption or not
- Type of access gained
- Chance of exploitation
28. Which of the following devices are considered a risk when storing confidential information?
Select all that apply.
- Encrypted portable hard drives
- Limited access file shares
- CD drives
- USB sticks
29. Which of the following are ways to prevent email phishing attacks against user passwords? Select all that apply.
- User education
- Virtual private network
- Cloud email
- Spam filters
30. When contracting services from a third party, what risk is the organization exposed to?
- Zero-day vulnerabilities
- Trusting the third party’s security
- Malware attacks
- DDoS attacks
31. Periodic mandatory security training courses can be given to employees in what way? Select all that apply.
- Brief quiz
- One-on-one interviews
- Interoffice memos
- Short video
32. How can events be reconstructed after an incident?
- By reviewing and analyzing logs
- By interviewing the people involved
- By doing analysis of forensic malware
- By replaying security video footage
33. What is the first step in performing a security risk assessment?
- Logs analysis
- Threat modeling
- Vulnerability scanning
- Penetration testing
35. What is penetration testing?
- Giving network access to a bad actor for the purposes of testing.
- Assessing computers, computer systems, networks, or applications for weaknesses.
- Attempting to break into a system or network for the purpose of verifying the systems in place.
- Attempting to gather credentials with phishing emails.
36. Consider the following scenario:
A co-worker needs to share a sensitive file with you, but it is too large to send via an encrypted email. The co-worker works out of a remote office. You work at headquarters. Which of these options would most likely be approved by the company’s security policies? Select all that apply.
- Upload to company secure cloud storage
- Upload to a personal OneDrive
- Put on a company file server that you both have access to
- Upload to a personal Google drive
36. Google provides free _____, which is a good starting point when assessing third-party vendors.
- cloud storage
- vendor security assessment questionnaires
- mobile phone services
- business apps
37. What are the first two steps of incident handling and response?
- Incident eradication or removal
- Incident recovery
- Incident detection
- Incident containment
38. When working on a laptop in a public area, always _____ when getting up to use the restroom.
- Ask a coworker to watch the laptop
- Set up a VPN
- Lock the screen
- Ask permission to leave
39. What is a quick way of evaluating a third party’s security?
- A comprehensive penetration testing review
- A security assessment questionnaire
- A signed contract
- A manual evaluation of all security systems
40. When handling credit card payments, the organization needs to adhere to the _____.
- ISO
- HIPAA
- PCI DSS
- IEEE
41. What characteristics are used to assess the severity of found vulnerabilities? Select all that apply.
- Remotely exploitable or not
- Type of access gained
- Chance of exploitation
- Use of encryption or not
42. Which of the following are bad security habits commonly seen amongst employees in the workplace? Select all that apply.
- Password on a post-it note
- Log out of website session
- Leave laptop logged in and unattended
- Lock desktop screen
43. Which of the following are examples of security tools that can scan computer systems and networks for vulnerabilities? Select all that apply.
- Wireshark
- Nessus
- OpenVAS
- Qualys
44. Consider the following scenario:
Your company wants to establish good privacy practices in the workplace so that employee and customer data is properly protected. Well-established and defined privacy policies are in place, but they also need to be enforced. What are some ways to enforce these privacy policies? Select all that apply.
- Print customer information
- Audit access logs
- Apply the principle of least privilege
- VPN connection
45. Third-party services that require equipment on-site may require a company to do which of the following? Select all that apply.
- Unrestricted access to the network
- Provide additional monitoring via a firewall or agentless solution
- Provide remote access to third-party service provider
- Evaluate hardware in the lab first
46. What are some behaviors to be encouraged in order to build a security-conscious culture? Select all that apply.
- Locking your screen
- Shaming people who haven’t done a good job of ensuring their company’s security
- Checking website URLs when authenticating
- Asking security-related questions
